Who is F5?

Think app security first

Apps are the gateway to your data—and your customer’s data. How do you protect your apps from today’s threats? By understanding them: knowing their components, supporting infrastructure, and what makes them vulnerable to attack. When you understand your apps, you’ll understand where to focus your resources to secure them.

App-centric security

Know what makes your apps vulnerable and how they can be attacked, so you can put the right solutions in place to lower your risk. Gain the application security you need to mitigate today's advanced threats and continue moving your business forward.

App Infrastructure Protection

Access Management

Bot Management

Explore the app components to understand each tier and the its associated threats.

DDOS ATTACKS

WEB APPLICATION ATTACKS

APP INFRASTRUCTURE ATTACKS

ACCESS

APP

Explore the app components to understand each tier and the its associated threats.

SERVICES TIER

Web servers, content delivery networks, and app or database servers are the base for web application
services. Also part of this tier are frameworks, libraries, and plugins, and internal code
that provides an app's core functionality. Attackers frequently scan for unpatched components
within this tier, making it the focus of common attacks, such as injection or business logic
flaws.

Access is the gateway to the data that an app processes or stores. This tier provides web, mobile,
and API clients the ability to authenticate and get authorization to access an application,
so it needs to be secure and efficient. An analysis of breach records shows that 33 percent
of web app breaches are access related, with phishing, brute force, and credential stuffing
attacks leading the way.

The transport layer security tier includes HTTPS, TLS, and even the outdated SSL protocol. It
provides confidentiality for clients and apps communicating over untrusted networks, ensuring
attackers can't tamper with data in transit. Flawed libraries or implementations can lead
to vulnerabilities like Heartbleed or denial-of-service attacks. TLS is also used to hide
payloads that target other tiers of the app.

The "address book" of the Internet, DNS translates domain names into IP addresses so browsers
can load Internet resources. This tier includes all DNS servers needed by the client and
the app, as well as the relevant registrars of those apps' domains. App availability can
be disrupted if its DNS suffers a DDoS attack. Alternatively, DNS can be targeted in a hijacking
attempt that can compromise an app's confidentiality or integrity.

Clients and apps need a network to connect. Many applications exist on or communicate over the
biggest network—the Internet. An app also typically resides on an internal network, allowing
app admins to connect and make changes. The network tier is a target of multiple types of
DDoS attacks. Compromised internal networks can lead to unauthorized disclosure, alteration,
or destruction of data.

The purpose of a DDoS attack is to make an application unavailable. DDoS attacks typically
originate from an "army" of hacker-controlled bots. All tiers of an app have a capacity
limit or are designed in a way that's vulnerable to DDoS attacks. Volumetric attacks
target the network tier, overwhelming bandwidth. Others target server or infrastructure
resources such as CPU, memory, or state tables.

DDoS Solutions

Use Cases

WEB APPLICATION ATTACKS

Web app attacks target the data held by apps through layer 7 by attempting to steal a user's
credentials via a man-in-the-middle attack or exploiting vulnerabilities in servers,
frameworks, libraries or even business logic flaws within custom code. Also included
are access-control attacks, like credential stuffing, brute force attacks, and credential
theft via malware or phishing.

Web App Security Solutions

Use Cases

APP INFRASTRUCTURE ATTACKS

Application infrastructure refers to the systems that applications depend on that are external
to the app itself. Attacks against application infrastructure target TLS, DNS, and the
network tiers. These attacks can include compromising a vulnerable implementation of
TLS/SSL, spoofing DNS to divert user traffic, a man-in-the-middle attack on a network,
or a DDoS attack on any of these tiers.

Applications are made up of many independent components, running in separate environments with different
requirements and a supporting infrastructure that's glued together over networks. Each component, or
tier, can be a target. To evaluate defenses, you need to understand the attack surface of each tier.

Services

Access

TLS

DNS

Network

×

API attacks

An application programming interface (API) is a set of protocols, routines, and tools meant to
be used by another application, as opposed to a user interface, designed for people. APIs
are provided by applications for automated access by other applications to stitch together
functionality. APIs often have full and complete access to applications for sharing and storing
data. For example, a weather application on a smartphone uses an API to collect real-time
weather data from a source like the National Weather Service. APIs are subject to many of
the same types of attacks as a user interface, but are especially vulnerable to SQL injection,
injection, and access attacks. They are sometimes overlooked in application security assessments
because they aren't immediately visible to users.

×

Injection

A broad category of attack vectors that enable an attacker to supply (“inject”) untrusted input
into a program, which then changes the way the program works. Attackers can also use injection
attacks to plant malware on a computer, for example, so an attacker can execute remote commands.
There are many types of injection attacks, a common one being SQL injection, which enables
an attacker to manipulate SQL statements and gain control of a system's database.

×

Distributed denial-of-service (DDoS)

An attack designed to significantly impair the performance of an application or service or prevent
an authorized user from accessing it at all. DDoS attacks typically originate from an “army”
of hacker-controlled bots.

All layers of an application have a capacity limit or are designed in a way that makes them vulnerable
to DDoS attacks. Attackers often launch several attack types in at the same time, targeting
multiple app components. So, defense must be comprehensive. The most common types of DDoS
attacks include volumetric, which consumes all available bandwidth across the connection
between an app and the network; computational attacks that attempt to exhaust infrastructure
resources, causing an app to crash or perform poorly; and application attacks that mimic
legitimate application requests but attempt to overload web server resources like CPU or
memory.

×

Abuse of Functionality

An attack that uses a website's own features and functionality to consume, defraud, or circumvent
access control mechanisms. Some website functionality, even security features, can be abused
to cause unexpected behavior. When a piece of functionality is vulnerable to abuse, an attacker
could annoy other users or perhaps defraud the system entirely. The potential for and level
of abuse will vary from website to website and application to application.

×

Credential theft

Credentials are username and password combinations for applications or websites that require
a user to log in. Credential theft can occur in multiple ways; often the first step is a
phishing attack that attempts to trick users into giving up credentials or other sensitive
data.

×

Credential stuffing

Attackers obtain large volumes of user credentials (username/password pairs) stolen from previous data breaches and use automated tools to test them in the login fields of other, targeted websites. When a username/password pair grants the attackers access, they take over that account for fraudulent purposes.

×

Brute force

An exhaustive procedure (often involving automated tools) in which an attacker uses every possible
combination of letters, numbers, and symbols to determine one valid username and password
combination to gain unauthorized access to an application or website. Attackers often use
a dictionary of words or commonly used passwords or phrases as an aid in brute force attacks.
A common mitigation is to temporarily lock out user accounts after a specific number of failed
login attempts. However, this can result in a denial of service for those affected accounts.

×

Phishing

Any type of fraudulent communication that's sent to multiple recipients at once via email, social
media, or text message, from someone impersonating a party or entity that the victim trusts.
The goal is to trick the user into providing private information (such as bank account numbers,
social security numbers, credit card numbers)—usually by clicking a link or opening an attachment.
There are several variations of phishing, such as spear phishing, in which a specific, often
high-level individual within an organization is targeted.

×

Key disclosure

The primary key material used to decrypt confidential data and establish authenticity are the
highest value assets in the security infrastructure and should be well guarded. Similar to
credential theft, keys provide access to an app or network. They also provide access to encrypted
data at rest or in transit. Key material can be exposed in a variety of ways: by attackers
gaining access to the systems that host the key material, by accidentally “leaking” the key
in a backup or low-security data repository, or via an exploit like Heartbleed. High security
environments typically use specialized hardware key storage (see FIPS 140) to protect keys
from disclosure.

×

Certificate spoofing

Digital certificates (also known as SSL certificates) provide secure, encrypted communication
between a website and its users, decreasing the risk of sensitive information (like login
credentials or credit card numbers) being tampered with or stolen. Certificates are issued
to organizations by trusted certificate authorities (CAs) to verify the identity of the organization
to website users. Think of it as the equivalent of an individual's passport or driver's license.
Certificate spoofing occurs when an attacker presents a fake digital certificate on a malicious
website. This can lead to unsuspecting users trusting a malicious website or application,
making the user susceptible to malware infection, man-in-the-middle attacks, or stolen credentials.

×

Session hijacking

The attacker uses captured, brute-forced, or reverse-engineered session IDs to take control of
a legitimate user's web application session while the session is still in progress.

×

Protocol abuse

Protocols have defined purposes and usages, such as port 443 for HTTPS or encrypted web traffic. Attackers
can abuse these by using a known protocol, which may be allowed through a traditional firewall,
as a covert channel to transfer stolen data or issue commands to malware deep inside a network. When
attackers send non-HTTPS traffic across defined ports (or any other port for which the traffic
violates the intended purpose or communications protocol), it's protocol abuse.

×

DNS cache poisoning

This attack occurs when an attacker injects a forged DNS entry into the DNS cache (for example,
a DNS cache server used by an ISP, which is in turn used by many end users). The fake DNS
entry resolves a common domain name to an IP address specified by the attacker. As a result,
any user requesting to connect to that site (such as www.example.com) is connected to a fake
website.

×

DNS spoofing

A broad category of attacks that attempt to spoof Domain Name System (DNS) records. This can
involve DNS spoofing, compromising a DNS server, carrying out a DNS cache poisoning attack,
guessing a sequence number in a request, or launching a man in the middle attack.

×

DDoS

The Domain Name System (DNS) is the “address book” for the Internet, effectively looking up the
correct IP address for a user-friendly website name (such as www.example.com) requested by
a user. Also known as a DNS flood, this type of attack involves the attacker sending a barrage
of requests to the DNS servers of a specific domain in an attempt to overload them with requests,
disrupting the address lookup process and preventing the user from connecting to the requested
site.

×

DNS (Domain Name System) hijacking

An attack that forcibly redirects traffic intended for a website requested by a user to a website
designated by the attacker. In this type of attack, an unsuspecting victim, thinking they're
connecting to their banking website, is actually connecting to a fake banking website where
the attacker can steal their username and password when they attempt to log in. This attack
is often accomplished by an attacker infecting a user's computer with malware that changes
its DNS settings, directing the user's computer to connect to a malicious DNS server when
they enter a user-friendly domain name.

×

Eavesdropping

In networking, eavesdropping takes the form of an attacker using special network monitoring software
(also known as a sniffer) to intercept and record communication between two parties (for
example, between two hosts or a client and a server) with the goal of capturing valuable,
sensitive information. In wireless network environments, mitigation involves using strong
encryption methods that operate at the lowest possible layers of the protocol stack.

×

Distributed denial-of-service (DDoS)

All denial-of-service attacks are designed to disrupt or make services completely unavailable
to the user. DDoS attacks overwhelm the system with too many requests to handle. At the network
level, these attacks involve disrupting the function of network/perimeter firewalls, load
balancers, or other network devices, making an entire network unreachable as opposed to just
a specific server, website, or application.

×

Man-in-the-middle (MITM)

A form of eavesdropping (that also involves impersonation) in which attackers insert themselves
into a network communication, often between a client and a web application. A successful
attack lets an attacker have full access to the conversation and secretly alter it. For example,
an attacker might hijack communication between a target and their banking website, stealing
the target's login credentials or redirecting funds from the target's bank account to the
attacker's account.

×

Protocol Abuse

Network protocols have defined purposes and uses, such as port 443 for HTTPS or encrypted web
traffic. Attackers can abuse these by using a known protocol, which may be allowed through
a traditional firewall, as a covert channel to transfer stolen data or issue commands to
malware inside a network. When attackers send non-HTTPS traffic across defined ports (or
any other port for which the traffic violates the intended purpose or communications protocol),
it's known as protocol abuse.

What are apps and how are they attacked?

Applications are made up of many independent components, running in separate environments with different
requirements and a supporting infrastructure that's glued together over networks. Each component, or
tier, can be a target. To evaluate defenses, you need to understand the attack surface of each tier.

SERVICES TIER

Web servers, content delivery networks, and app or database servers are the base for web application
services. Also part of this tier are frameworks, libraries, and plugins, and internal code that provides
an app's core functionality. Attackers frequently scan for unpatched components within this tier,
making it the focus of common attacks, such as injection or business logic flaws.

POSSIBLE THREATS

ACCESS TIER

Access is the gateway to the data that an app processes or stores. This tier provides web, mobile, and
API clients the ability to authenticate and get authorization to access an application, so it needs
to be secure and efficient.

An analysis of breach records shows that 33 percent of web app breaches are access related, with phishing,
brute force, and credential stuffing attacks leading the way.

TLS/SSL TIER

The transport layer security tier includes HTTPS, TLS, and even the outdated SSL protocol. It provides
confidentiality for clients and apps communicating over untrusted networks, ensuring attackers can't
tamper with data in transit.

Flawed libraries or implementations can lead to vulnerabilities like Heartbleed or denial-of-service
attacks. TLS is also used to hide payloads that target other tiers of the app.

POSSIBLE THREATS

DNS TIER

The "address book" of the Internet, DNS translates domain names into IP addresses so browsers can load
Internet resources. This tier includes all DNS servers needed by the client and the app, as well
as the relevant registrars of those apps' domains.

App availability can be disrupted if its DNS suffers a DDoS attack. Alternatively, DNS can be targeted
in a hijacking attempt that can compromise an app's confidentiality or integrity.

POSSIBLE THREATS

NETWORK TIER

Clients and apps need a network to connect. Many applications exist on or communicate over the biggest
network—the Internet. An app also typically resides on an internal network, allowing app admins to
connect and make changes.

The network tier is a target of multiple types of DDoS attacks. Compromised internal networks can lead
to unauthorized disclosure, alteration, or destruction of data.

POSSIBLE THREATS

ATTACK TYPES

HOW APPS ARE ATTACKED

Attack Types

Explore the app components to understand each tier and the its associated threats.

DDOS

The purpose of a DDoS attack is to make an application unavailable. DDoS attacks typically originate
from an "army" of hacker-controlled bots.

All tiers of an app have a capacity limit or are designed in a way that's vulnerable to DDoS attacks.
Volumetric attacks target the network tier, overwhelming bandwidth. Others target server or infrastructure
resources such as CPU, memory, or state tables.

DDoS Solutions

Use Cases

WEB APPLICATION

Web app attacks target the data held by apps through layer 7 by attempting to steal a user's credentials
via a man-in-the-middle attack or exploiting vulnerabilities in servers, frameworks, libraries or
even business logic flaws within custom code.

Also included are access-control attacks, like credential stuffing, brute force attacks, and credential
theft via malware or phishing.

Web App Security Solutions

Use Cases

APP INFRASTRUCTURE

Application infrastructure refers to the systems that applications depend on that are external to the
app itself. Attacks against application infrastructure target TLS, DNS, and the network tiers. These
attacks can include compromising a vulnerable implementation of TLS/SSL, spoofing DNS to divert user
traffic, a man-in-the-middle attack on a network, or a DDoS attack on any of these tiers.